When I tried to backup all the apps on my TI-84, TiLP crashed because of a strcpy() overflow.
Program received signal SIGABRT, Aborted.
0x00007ffff694bdf7 in raise () from /lib64/libc.so.6
(gdb) bt
at /mnt/vm/compile/portage/sci-libs/libticalcs2-1.1.8/work/libticalcs2-1.1.8/src/calc_84p.c:455
at /mnt/vm/compile/portage/sci-libs/libticalcs2-1.1.8/work/libticalcs2-1.1.8/src/backup.c:338
at /mnt/vm/compile/portage/sci-libs/libticalcs2-1.1.8/work/libticalcs2-1.1.8/src/calc_xx.c:1859
I created a patch for libtifiles2
diff -uprN /tmp/libtifiles2-1.1.6.orig/src/tifiles.h /tmp/libtifiles2-1.1.6/src/tifiles.h
--- /tmp/libtifiles2-1.1.6.orig/src/tifiles.h 2014-10-31 21:50:22.141971904 +0800
+++ /tmp/libtifiles2-1.1.6/src/tifiles.h 2014-10-31 21:57:39.241667003 +0800
@@ -240,7 +240,7 @@ typedef struct
uint8_t revision_day;
uint8_t revision_month;
uint16_t revision_year;
- char name[9];
+ char name[VARNAME_MAX];
uint8_t device_type;
uint8_t data_type;
uint32_t data_length;
@@ -301,7 +301,7 @@ struct _FlashContent
uint8_t revision_day;
uint8_t revision_month;
uint16_t revision_year;
- char name[9];
+ char name[VARNAME_MAX];
uint8_t device_type;
uint8_t data_type;
uint8_t hw_id;
Now it is no longer crashes, but the backup still failed.
(tilp:26870): tifiles-CRITICAL : string passed in 'write_string8' is too long (>n chars).
(tilp:26870): tifiles-CRITICAL : s = Français, len(s) = 9
tifiles-INFO: 46 72 61 6E C3 A7 61 69 73 (9)
(tilp:26870): tifiles-CRITICAL **: ti8x_file_write_flash: error writing file /tmp/tigCY9HOX.8Xk
I realized that the "ç" in string "Français" is the source of the issue.
$ ./test_length
strlen("Francais") == 8
strlen("Français") == 9
strlen("çççççççç") == 16
Since the maximum length for app names is 8 chars, we assumed all strings of the app names are char[8], but it is not correct. 8 characters != sizeof(char * 8). We need to rework on all the code related to char[8], maybe replace char to w_char is a solution.
It's my first time to use SourceForge. I didn't know that SourceForge supports Markdown, sorry to the formatting :(
The title is also broken because of a typo, It is not editable :(
Last edit: Tom Li 2014-10-31
currently, I am using a dirty hack
which drops the extra chars. But
this is a real dirty hack.
Last edit: Tom Li 2015-05-18
Thanks for the report. It happens that this bug, in the same function, was already reported on an IRC chan several weeks ago :)
Locally, I've precisely started eliminating all strcpy and strcat calls from the code base, because it needs to be done anyway, irrespective of fixing other encoding-related issues.
Switching from char to wchar is not an option with UTF-8.
Fixed a while ago in Git, the fix is now part of the libraries associated to TILP II 1.18.